
Federal Communications Commission 
Washington, D.C. 20554 

July 10,2019 


Ms. Emma Best 
MuckRock News 
DEPT MR 74296 
411A Highland Avenue 
Somerville, MA 02144-2516 


Re: FOIA Control No. 2019-000490 


Dear Ms. Best: 


This letter responds to your Freedom of Information Act (FOIA) request for “[c]opies of records 
mentioning or describing audits, reviews, investigations or reports regarding the agency's cyber 
security, including audits or investigations regarding the state of the agency's cyber security 
regarding potential attacks as well as audits and investigations conducted in the wake of a 
suspected or actual cyber attack, hacking incident or breach” from January 1, 1996 to June 30, 
2016. 

FCC OIG has identified 50 documents. All of them are accessible on the FCC website. 

All 49 audit documents can be found at: https://www.fcc.gov/inspector- 
general/reports/general/audit-inspection-and-evaluation-reports-issued-office- 

inspector#block-menu-block-4 

These include: 

05/09/16 FY15 Federal Communications Commission's (FCC) Fiscal Year 2015 Federal 
Information Security Management Act (FISMA) Report 

11/21/14 Transmittal Memorandum for Report on the Federal Communications Commission's 
Fiscal Year 2014 Federal Information Security Management Act (FISMA) Evaluation Released 

04/10/14 Transmittal Memorandum for Federal Communications Commission (FCC) Physical 
Security Assessment Report Released 

03/12/14 Transmittal Memorandum for Audit of FCC Compliance with 0MB Circular No. A- 
130, Revised 

01/08/14 Transmittal Memorandum for Report on the Federal Communications Commission's 
Fiscal Year 2013 Federal Information Security Management Act (FISMA) Evaluation Released 

06/14/13 Transmittal Memorandum for the Federal Communications Commission (FCC) Website 
Security Assessment Released 

12/31/12 Transmittal Memorandum for Report on the Federal Communications Commission's 
Fiscal Year 2012 Federal Information Security Management Act (FISMA) Evaluation Released 





12/14/11 Transmittal Memorandum for Report on the Federal Communications Commission's 
Fiscal Year 2011 Federal Information Security Management Act (FISMA) Evaluation Released 

03/29/11 Transmittal Memorandum for Report on the Federal Communications Commission’s 
Fiscal Year 2010 Federal Information Security Management Act (FISMA) Evaluation Released 

12/2/05 Report on the FY 2004 Audit of Network Infrastructure Controls 

6/3/05 Report on the Audit of Wireless Network Controls 

5/27/05 Report on the Audit of the Integrated Spectrum Auctions System (ISAS) 

10/28/04 Physical Security Review of Gettysburg Site 

10/22/04 Report on Follow Up to the Audit of Web Presence Security 

10/15/04 Inspector General Statement on the Federal Communications Commission's Fiscal Year 
2004 Major Management Challenges 

10/6/04 FY 2004 Federal Information Security Management Act (FISMA) Independent 
Evaluation 

9/20/04 Report on Fiscal Year 2004 Federal Information Security Management Act (FISMA) 
Evaluation and Risk Assessment 

2/6/04 Report on Fiscal Year 2003 Federal Information Security Management Act (FISMA) 
Evaluation and Risk Assessment 

11/24/03 Report on Audit of the Revenue Accounting and Management Information System 
(RAMIS) 

9/29/03 Survey of Systems Development Life Cycle (SDLC) Implementation 

9/22/03 FY 2(X)3 Federal Information Security Management Act (FISMA) Independent 
Evaluation 

9/12/03 Report on Audit of Auctions IT Capital Investment Practices 

1/10/03 Report on the Follow-up Audit of Computer Controls at the FCC Consumer Center 

1/6/03 Report on GISRA Evaluation - Findings and Recommendations 

9/16/02 FY 2002 GISRA Evaluation 

11/29/01 Report on Government Information Security Reform Act Evaluation - Findings and 
Recommendations 

9/5/01 Evaluation of the Commission's Information Security Program in accordance with the 
Government Information Security Reform Act (GISRA) 

6/13/01 Audit of Web Presence Security 

4/10/01 Special Review of Internet Privacy and Web Cookies 

8/16/99 Audit of the Federal Communications Commission Year 20{X) Program 

2/9/98 Special Review of Auction Application Security [Transmittal Memorandum] 

3/5/97 Report on the Audit of Network Remote Dial-In Security 
3/28/96 Follow-Up Audit of Physical Security of the Local Area Network 
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There are an additional 16 audit documents that are financial statement audits. Their focus is not 
cyber security, but it is mentioned and broadly discussed in the opinion report. Therefore, to be 
as thorough as possible, they are listed below. 

11/14/14 Fiscal Year 2014 Federal Communications Commission's Financial Statements Audit 
Transmittal Letter and Report 

12/13/13 Audit of the Federal Communications Commission's Financial Statements for Fiscal 
Year 2013 

11/14/12 Audit of the Federal Communications Commission's Financial Statements for Fiscal 
Year 2012 

11/14/11 Audit of the Federal Communications Commission's Financial Statements for Fiscal 
Year 2011 

11/12/10 Audit of the Federal Communications Commission's Financial Statements for Fiscal 
Year 2010 

11/13/09 Audit of the Federal Communications Commission Financial Statements for Fiscal Year 
2009 

11/13/08 Report on the Federal Communications Commission Fiscal Year 2008 and 2007 
Financial Statements 

11/15/07 Report on the Federal Cotnmunications Commission Fiscal Year 2007 and 2006 
Financial Statements 

11/15/06 Report on the Federal Communications Commission Fiscal Year 2006 Financial 
Statements 

11/15/05 Report on the Federal Communications Commission Fiscal Year 2005 Financial 
Statements 

11/15/04 Report on the Federal Communications Commission Fiscal Year 2004 Financial 
Statements 

12/19/03 Report on the Federal Communications Commission Fiscal Year 2003 Financial 
Statements 

1/31/03 Report on the Federal Communications Commission Fiscal Year 2002 Financial 
Statements 

4/30/02 Report on the Federal Communications Commission Fiscal Year 2001 Financial 
Statement 

6/27/01 Report on the Federal Communications Commission Fiscal Year 2000 Financial 
Statements 

7/7/00 Report on the Federal Communications Commission Fiscal Year 1999 Financial Statement 

The final responsive document is the Report of Investigation (ROI) for case number OIG-I-17- 
0011 titled “Alleged Multiple Distributed Denial-Of-Service (DDoS) Attacks involving the 
FCC’s Electronic Comment Filing System (ECFS)” or “ECFS DDos.” It includes a cover letter 
addressed to the Inspector General from the Assistant Inspector General-Investigations and a 
written response from Chairman Pai. This document is available on the FCC website at 
https ://www.fcc.gov/sites/default/files/fcc-oig-roi-ecfs-ddos-08072018.pdf . This document 
contains marked redactions pursuant to FOIA Exemptions 6, 7(C), and 7(E). 
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FOIA Exemption 6 protects “personnel and medical files and similar files the disclosure of which 
would constitute a clearly unwarranted invasion of personal privacy.”* Balancing the public’s 
right to disclosure against the individual’s right to privacy, we have determined release of this 
information would constitute a clearly unwarranted invasion of personal privacy. The redacted 
information includes the names and contact information of individuals. We have determined it is 
reasonably foreseeable disclosure would harm the privacy interest of the persons mentioned in 
these records, which Exemption 6 is intended to protect. 

FOIA Exemption 7(C) protects “records or information compiled for law enforcement purposes 
[the production of which] could reasonably be expected to constitute an unwarranted invasion of 
personal privacy.”^ Balancing the public’s right to disclosure against the individual’s right to 
privacy, we have determined release of this information would constitute an unwarranted 
invasion of personal privacy. The redacted information includes the names of individuals who 
were/are employed at this agency. We have determined it is reasonably foreseeable disclosure 
would harm the Commission or the Federal government’s law enforcement activities, which 
Exemption 7 is intended to protect 

FOIA Exemption 7(E) protects “records or information compiled for law enforcement purposes 
[the production of which] would disclose techniques and procedures for law enforcement 
investigations or prosecutions, or would disclose guidelines for law enforcement investigations or 
prosecutions if such disclosure could reasonably be expected to risk a circumvention of the law.”^ 
Information redacted under this Exemption concerns specific techniques and procedures for law 
enforcement investigations and prosecutions that, if made public, may allow targets to avoid 
prosecution in future investigations. We have determined it is reasonably foreseeable that 
disclosure would harm the Commission or the Federal government’s law enforcement activities, 
which Exemption 7(E) is intended to protect. 

The FOIA requires that “any reasonably segregable portion of a record” must be released after 
appropriate application of the Act’s exemptions."* However, when nonexempt information is 
“inextricably intertwined” with exempt information, reasonable segregation is not possible.^ The 
redactions and/or withholdings made are consistent with our responsibility to determine if any 
segregable portions can be released. To the extent non-exempt material is not released, it is 
inextricably intertwined with exempt material. 

We also reviewed the responsive document to determine if discretionary release is appropriate.^ 
The materials protected from disclosure under Exemption 6 are not appropriate for discretionary 
release in light of the personal privacy interests involved. The materials protected from 
disclosure under Exemption 7 are not appropriate for discretionary release in light of the law 
enforcement sensitivities involved. 

We are required by both the FOIA and the Commission’s own rules to charge requesters certain 
fees associated with the costs of searching for, reviewing, and duplicating the sought after 


* 5 U.S.C. § 552(b)(6). 

2 5 U.S.C. § 552(b)(7)(C). 

^ 5 U.S.C. § 552(b)(7)(E). 

"* 5 U.S.C. § 552(b) (sentence immediately following exemptions). 

^ Mead Data Cent. Inc. v. Dep't of the Air Force, 566 F.2d 242, 260 (D.C. Cir. 1977). 

^ See President’s Memorandum for the Heads of Executive Departments and Agencies, Freedom of 
Information Act, 74 Fed. Reg. 4683 (2009). 
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information.^ To calculate the appropriate fee, requesters are classified as: (1) commercial use 
requesters; (2) educational requesters, non-commercial scientific organizations, or representatives 
of the news media; or (3) all other requesters.® 

Pursuant to section 0.466(a)(5)-(7) of the Commission’s rules, you have been classified as 
category (2), “educational requesters, non-commercial scientific organizations, or representatives 
of the news media.” As an “educational requester, non-commercial scientific organization, or 
representative of the news media,” the Commission assesses charges to recover the cost of 
reproducing the records requested, excluding the cost of reproducing the first 100 pages. The 
production in response to your request did not involve more than 100 pages of duplication. 
Therefore, you will not be charged any fees. 

You may seek review by filing an application for review with the Office of General Counsel. An 
application for review must be received by the Commission within 90 calendar days of the date of 
this letter.^ You may file an application for review by mailing the application to Federal 
Communications Commission, Office of General Counsel, 445 12^^ St SW, Washington, DC 
20554, or you may file your application for review electronically by e-mailing it to FOIA- 
Appeal@fcc.gov . Please caption the envelope (or subject line, if via e-mail) and the application 
itself as “Review of Freedom of Information Action.” 

If you would like to discuss this response before filing an application for review to attempt to 
resolve your dispute without going through the appeals process, you may contact the 
Commission’s FOIA Public Liaison for assistance at: 


FOIA Public Liaison 

Federal Communications Commission, Office of the Managing Director, Performance 
Evaluation and Records Management 
445 12^^ St SW, Washington, DC 20554 
202-418-0440 

FOIA-Public-Liaison@fcc.gov 

If you are unable to resolve your FOIA dispute through the Commission’s FOIA Public Liaison, 
the Office of Government Information Services (OGIS), the Federal FOIA Ombudsman’s office, 
offers mediation services to help resolve disputes between FOIA requesters and Federal agencies. 
The contact information for OGIS is: 

Office of Government Information Services 

National Archives and Records Administration 

8601 Adelphi Road-OGIS 

College Park, MD 20740-6001 

202-741-5770 

877-684-6448 

ogis@nara.gov 

ogis.archives.gov 


7 See 5 U.S.C. § 552(a)(4)(A), 47 C.F.R. § 0.470. 

® 47 C.F.R. § 0.470. 

^ 47 C.F.R. §§ 0.461(j), 1.115; 47 C.F.R. § 1.7 (documents are considered filed with the Commission upon 
their receipt at the location designated by the Commission). 
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Sincerely, 




Sharon R. Diskin 
Assistant Inspector General- 
Investigations 


Enclosure 

cc: FCC FOIA Office 
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